I had the same issue upgrading from an encrypted Fusion drive where no disk password or recovery key was accepted. I booted from the recovery partition and was able to unlock the drive with my disk password. It looks like the APFS conversion of encrypted drives is buggy and fails to create a fully working APFS Preboot area. I did most of the diagnostics using diskutil from the cli as Disk Utility was beachballing. If you run diskutil apfs listcryptousers it didn’t seem to have an entry for the disk password. Also whilst you could initiate decryption with diskutil apfs decryptvolume, it would hang at 0%, presumably something missing from the recovery instance.

I restored from backup leaving the drive unencrypted and retried the upgrade and that worked fine.

I, too, had an encrypted APFS volume that could never be unlocked at the pre-boot Disk Password dialogue.

If you wish to regain use of the volume as a startup volume, without restoring from a backup, your best bet may be Recovery OS to decrypt the volume. After decryption begins, progress may be shown by mounting the volume then running:

diskutil apfs listcryptousers …

If a percentage is not shown, wait then re-run the command. Eventually there will be a sixty second estimate. Ignore that, it's inaccurate. Be patient.

After decryption is complete there should be no reliance upon the pre-boot volume.

Same as my situation, but once I've use diskutil apfs decryptVolume to decrypt volume, but after I enter this command, quickly it crashed my macOS 10.13, then I can't boot my mac and also can't read any files anymore, after I boot into Recovery Mode to unlock the volume with my passphrase, all the encrypted files on the volume can be list and not modified, but they can't decrypt by FileVault2 and let me read raw encrypted data, and I use diskutil to check crypto users, that said I'm in decrypting action but paused state of my volume?

Is there have some way to have to continue decrypting in Recovery Mode? In previous coreStorage can be done this things by manual activating corestoraged in terminal to continue encrypting/decrypting, but in this APFS does have any way to migration successful or revert the state?

I had this same issue. Of note, I also converted to APFS and have had a working BootCamp Partition setup with Windows 10. I just installed the Creators Update for Win10 and did some work on the WIndows Side, and then used the Apple BootCamp Control Panel utility to set my Apple partition as the startup drive. That brought me almost immidiately to the prompt for the Disk Password. And nothing I entered was working. Not sure what that password would be, e

either.

I was abel to reboot and hold down Option and then select my Apple Drive and it started up normally. BUT, rebooting again brought me to the same prompt for my Disk Password... I did the same, boot up holding down Option, selected my Apple Drive, and then once I was back at my desktop I went to Systemn Preferences / Startup Disk, and saw that nothing was actually selected there. Once I selected my Apple Drive as the Startup Volume, everything was working normally again.

I had the same problem on my 15" MacBook Pro early 2011 with a FV2 encrypted homemade fusion drive after it slept during install. To make matters worse it wouldn't even boot into the recovery partion (although it would boot into the password recovery utility). I ended up creating a bootable USB drive so I could get to an OS 10.13 terminal window.

After some research and a lot of trial and error I came up with a solution that worked for me:

If it ends with an overall error of 0 then that's it. Done! Reboot and be prepared to wait. The first boot took an an inordinate amount of time for me. I was patient and let it do it's thing and it paid off. Finder finally loaded and everything opened up to it's pre-upgrade status.

If you see errors while updatePreboot is considering the Open Directory User ensure your unlocked APFS volume is mounted and readable. It must have access to the local Open Directory search path (/var/db/dslocal/nodes/Default) to build a list of authorized users (AdminUserRecoveryInfo.plist) and an access token (secureaccesstoken.plist) and copy them onto the Preboot volume (/Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377/var/db/).

I suspect it is updatePreboot that causes this problem during install. I have a working theory on why it is happening: The OS Installer reboots the system. After restart the CoreStorage volume is unlocked and converted to APFS after which the OS install process begins. When the install is complete, just before the final reboot, updatePreboot is applied to the FV2 boot volume. We have already shown that updatePreboot will fail if the FV2 volume is locked and I'm fairly sure FV2 volumes lock (or have the encryption keys destroyed) at sleep. Following this logic: if the machine sleeps during (or at the end of) the install process but before updatePreboot runs, the Preboot volume will fail to get updated. The machine then reboots: EFI sees the FV2 boot volume so it looks to the (improperly updated) Preboot volume for authorized users. EFI fails to find any admin users since updatePreboot could not read them from Open Directory on the locked boot volume so it displays the generic "disk password" prompt. This is also why neither the recovery key nor an icloud account will unlock the drive.

I hope this helps anyone with this issue. Also, please feel free to correct any glaring mistakes I may have made.

Scot, In my case this fails because it is unable to load the open directory with the list of users. Similarly I also tried to “resetpassword” which failed for the same reason - no users found... Any idea?

thanks. i did this and my login is appear again. but when i logged in this error appear “ MacOS could not be installed on your computer the path /System/installation/packages/OSInstall.mpkg appears to be missing or damaged. quit the installer to restart your computer and try again.” but when tap on restart same problem appears again. anyone can help me ?

i try it.but i can't.when i try to choose disk for install os on it say it's decrypted.i thing it's about startup disk.if i can change startup disk to Macintosh HD it going to be worked but startup disk in recovery mode don't show any disk to choose.do you have idea to change startup disk with command line?

I didn't have this problem. I think it's none business with startup disk. When i start my macbook with recovery mode. I can choose to install high Sierra, which is the second choice. And then it just starts to install the new system

I have the same problem and if I try to reinstall the sistem in recovery mode, I can’t select the hard-disk because it’s in decrypting mode. In terminal, using apfs list, I can see decrypting 0.0 % (paused). I’m blocked and I don’t know how to solve... someone can help us please? All previuos indication works fine without errors.

Thanks croaker! I am updting my Macbook Pro from Sierra to High Sierra. I left it upgrade overnight and I am stuck at the Disk Password page where none of my passwords works. I had filevault encryption on before the update.

A simplified version of croaker's answer worked for me.

diskutil apfs list

When I run the above command, the output info is similar to croaker's answer, however the disk2 is not mounted. "diskutil apfs unlockvolume disk2s1" failed. So I tried to mount the disk.

diskutil mountDisk /dev/disk2

The mount didn't work, complaining cannot mount stuff. So I check

diskutil list

and realize there are three disks. 0 --> AFS something; 1--> HFS something; 2--> the apfs disk2 that showed up in my "diskutil apfs list" commnad.

I have one SSD. Yet both disk0 and disk2 point to the same physical disk. So I tried to unmount disk0 and mount disk2. The unmount was successful and mount failed again. I update the preboot anyways.

diskutil apfs updatePreboot disk2s1

It ended with error=0, which was very promising. After I reboot and a long wait (5min), I am in the new macOS.

Thanks to coraker for the sharing and analysis. I don't know why in my case it worked without unlocking the volume...

Similar story with some variation. Two of my laptops upgraded fine. But on the third one download was taking forever (around 15 minutes each on the first two vs. third one was showing an estimate of 10 hours). I suspect this is Apple server overloaded because I did a speed test on my local network and it showed 100Mbs download same as when the first two upgraded in under 15 minutes. So I left this third one downloading overnight and it is now stuck in this situation.

In my case too, from terminal during recovery mode, disk2 was not mounted. But "diskutil apfs unlockvolume disk2s1" succeeded but it mounted it to "/Volumes/Macintosh HD" and not to "/".

I then tried "diskutil apfs updatePreboot disk2s1". It failed with -69569 error because it was unable to open Open Directory database from: "/Volumes/Macintosh HD/var/db/dslocal/nodes/Default". The path "/var/db/dslocal/nodes/Default" does it exist. Tried running some "diskutil unmountDisk" commands on disk0, disk1 and disk2 but they all failed. Debating if I should make a symbolic link. May also try recovery USB to boot into it to see if it changes anything. Not sure how unencryptvolume (and long wait) will help here as the issue seems to be a mounting problem.

Anyone else have any other thoughts to get out of this situation please let me know.

That is what did the trick for me. I was able to complete installation and backup my files just in case. This was btw using the official High Sierra installer from the App store, the download finished and my MacBook restarted. When it tried to install it gave me an error, rebooted again and booted to a Folder Icon with a Question Mark in it.

I just wanted to give a big Thanks for this solution...I was crapping bricks last night and burned 3-4 hours trying to get my MacBook Pro to boot. This did it along with jinsung's procedure to point at the Default file in Recovered Files....

UPDATE:I did the following and it worked:1. Boot into recovery mode (command + R) at boot2. Select Terminal from the Utilities Menu (Following croakers steps here)3. diskutil apfs list4. diskutil apfs unlockvolume disk2s1 (My Machintosh HD drive from list)5. diskutil apfs updatePreboot disk2s1 (To see if I get any errors ((error=(0=success)))6. diskutil apfs updatePreboot disk2s1 -od /Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default - Important here -This is the step I was missing! This worked without any errors

Note: In the other posts I was seeing a "Recovery\ Items" folder in which I didnt have one but this step was crucial to making this work. It was stated that you need to find the path to your user folder (plist)

After I did the above I closed the terminal, slected reboot from the menu. It rebooted normally and asked for my password and it worked it started the status bar thing again but in 5 minutes it resumed upgrading to High Sierra it then displayed a 15 Minute timer for installing and its now working

I hope this helps you all - try this Before decrypting the drive save you some time

Thank you! I'm finally getting - an overall error of 0. Now, can I reboot directly from the terminal (if yes, how) or should I Restart the Mac and press Option key to enter to the Startup Manager and then select the boot drive?

I used your instructions, they where very helpful. It did took me a while to work out the thing when having a space in the name of a disk "Rick\ disk".

I did every steps, to find my system still gave me the error related to the open directory user db. This is maybe related to the fact that I did not quite understood the last part of your post, where you explain a number of things, however not including the instruction on how to do that.

f you see errors while updatePreboot is considering the Open Directory User ensure your unlocked APFS volume is mounted and readable. It must have access to the local Open Directory search path (/var/db/dslocal/nodes/Default) to build a list of authorized users (AdminUserRecoveryInfo.plist) and an access token (secureaccesstoken.plist) and copy them onto the Preboot volume (/Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377/var/db/).

Is it possible you to explain this a bit more.

Now I am at the point where my disk is decryting, and having it "paused" at 10%, typing the command again result in the error -69573 volume is already decrypting.

Thanks to everyone for their input on this issue. I'm very disappointed with Apple. I'm in Terminal from a Recovery Boot but typing "diskutil apfs" returns "did not recognize verb "apfs" Where does that leave me?

I ran into this last night, while upgrading Sierra to High Sierra on my new MacBook Pro (15", 2017), having never installed a beta. My scenario is slightly different than croaker's in that I have two users (with admin privileges, for what it's worth), and one could not be decrypted with the updatePreboot command, resulting in errors. Haraguroicha Hsu did give me the idea to decrypt the main volume, which took about 16 hours (100 GB of storage). But after the decryption completed, I restarted, the installation proceeded, and after about 30 minutes High Sierra was installed and running normally. So if running

diskutils apfs updatePreboot <disk-id>

doesn't work, I suggest decrypting the disk:

diskutils apfs decryptVolume <disk-id>

And then (after many, many hours) restarting. Be sure to turn FileVault back on when installation completes.

Hello! I followed your commands and it’s says “Background decryption is ongoing; see ‘diskutil apfs list” to see the progress When I entered the above command, it says “Decryption Progress: 10% (Unlocked) My question is “how long does it take to completely unlock?”. You had mentioned hours and house, just curious to know how much hours

After the BootCamp installation, I restard to set the default boot to Mac OS but I stopped on the FileVault password request for my account.It wont recognize my password... On the top-right corner, it show "French - Numeric" keyboard layout is active but in fact it is not... I have to chose the "French - PC" layout and type like it was a PC keyboard to make my password works.

So, for me, it is not a problem of cryptography but simply a problem of keyboard layout...Try some other keyboard layouts and test your password again and again.It is way harder to find a working keyboard if your password contains symbols.

Hi, i have a bigger Problem... I tried to upgrade to high sierra - the update stuck so I had to switch of my macbook pro retina 2012... Now I restarted and tried to install high sierra via recovery mode. 2 hours later macbook wants disk password - nothing works ... So I think I don‘t have any bootable system— what should I do now? Apple cant help me- they want me to delete the volume- but I have data which are not backuped... any ideas???

see croaker's post where they describe "/var/db/dslocal/nodes/Default" .... If you can mount your drive via the recovery partition using the original file vault password, try to unlock and mount it. Then on the drive un-encrypted drive there should be a "Recovered Files" folder, I found my "/var/db/dslocal/nodes/Default" in there and copied it to the preboot (/var/db/dslocal/nodes/Default). I was able to get back to my login screen instead of the "Disk Password"...

Hope this kind of helps!

my issue now is my disk is stuck decrypting 12% and I cant find a way to force it to make any progress...

I may have a solution to the stuck disk unlocking... I was abe to upgrade my old macbook pro to High Sierra without any issues. After doing so I booted the problematic mac into target disk mode then connected to the old mac ( in my case touchbar MBP via USB - C to thunderbolt adapter to old mac). After connecting I was prompted to unlock my drive which worked with my filevault password. I continued to monitor the diskutil apfs list and suddenly it switch from paused and moved up 1%. I set my old mac to never go to sleep and only turn off the display, and overnight I got up to 83.0% (Unlocked)... I am hoping it will finish out later on today!

Hi, I have the same issue. I found the files under Revovered Items/private/var/db/dslocal/nodes/Default and I copied everything from the db folder into the preboot drive and also copied them to /Macintosh HD/var/db/dslocal/nodes/Default But when I restart my computer the "Disk Password" request appears again.

I am following your steps right? Any ideas? Really appreciated. This has proven to become a nightmare.

See Jinsung's post he has some quite detailed instructions on the files to copy for open directory. The key is to verify that your user account exists within the subfolder under /private/var/db/dslocal/nodes/Default/Users. Should be yourusername.plist. In Jinsung's post it looks like he is updating the preboot in one command, I did it with two steps. First copying the files, then updating the preboot without the argument for which open directory path to use. Either should work.

As far as my progress I was able to get fully unlocked, and reinstalled without an issue!

It took me about 12 hours for the disk to reach 100%. After rebooting it still didn't work because the computer complained that the installer was corrupted. I had to reboot in recovery mode and finally high Sierra did install properly!

Hi, I am having the same problem and instead opted to decrypt my drive. The decryption was successful, it took me almost 16 hours. Then after that, I restarted and the installation proceeded. But the installation was not successful. What should I do next? Should I try reinstalling in recovery mode, or should I backup my drive then perform a clean install? Reinstalling high sierra requires a mac os journaled file system? If that so, how can I backup my drive in recovery mode so that I can reformat my drive to hfs+? I was not able to create a backup before... Any reply or help will bw very much appreciated.

My drive is already converted to apfs... I would like to know if I can still recover data from my drive. I wasn't able to do croaker's method before because I couldn't find the directory, but during the decryption process, I was able to locate it. After the installation proceeded, when I try to restart, my mbp now shows a circle with slash during startup. My drive is ok when I run first aid. I was asked to run diagnostics and showed that my drive has no issues..

As macOS 10.13 HS is now public, user-centric non-beta queries/comments such as this are perhaps best put to Apple's public community support forums, run by AppleCare, and/or Apple's twitter support account, vs. risking off-topic here in the DevForums, thanks and good luck.

For those like me who updated with no backup and ended up with the decryption paused this is what worked for me, and allowed me to recover all my info. I took a High Sierra USB install disk, and Installed High Sierra on to an External drive. Took about 3 hours to fully install. Upon the start up I was given the Migration Option to which I chose to migrate from my Encrypted(By the High Sierra install) SSD drive. Fortunately for me when it asked for the FileVault password, I used the password for my user account (this also worked to mount the disk in diskutility). I copied over all the info on the SSD to the External startup. Next I erased my SSD, Installed High Sierra then Migrated everything back on to the SSD from the External Harddrive. Hope this works for someone. Ive been frustrated for days and almost wiped my drive with no back up.

I just did my upgrade to macOS High Sierra with a volume that had FileVault2 enabled and had this happen (prompt for disk password but would not accept any password). I ultimately called AppleCare... they had a note on the issue.

The solution was:

Boot into the recovery OS by

- Power off the Mac

- Press-and-hold CMD+R while powering on and wait for the machine to boot.

It will prompt for a disk password but this time YOUR normal login account password will work and the volume will mount.

Take note of the "Device" name (there's a table with information about the mounted volume... the device name will be in the lower right corner). The device name may be something like "disk2s1" - write it down... you need to know that device name for the next step.

Exit Disk Utility

Select the "Utilities" menu along the top and pick the "Terminal" app.

e.g. if your device was 'disk2s1' then the command would be: diskutil apfs updatePreboot disk2s1

That will take a moment (you'll see pages of messages fly by). Once you see the root prompt (#) return, it's ready.

Reboot your mac. You're done!

The mac should now boot normally (altough if you're just upgraded to macOS High Sierra then you'll get the normal set of screens that appear the first time you log in after the upgrade... e.g. it'll probably ask you to login to your iCloud account, etc. etc.)

- There is some chance you’re directory path won’t be the same as mine. The “cd” and “ls” commands in the Terminal utility can help. “Cd” changes your location to whatever folder name you type after it, and ”ls“ lists the files and folders. “cd ..” takes you back Up one level in the folder hierarchy. Using these commands you can find the location of db/dslocal/nodes/Default specific to you.

Scratch that. I've discovered that booting with CMD+R offers an installer back to Lion whilst booting win CMD+OPT+R offers an installer for High Sierra. This version of Terminal has the "apfs" verb. So, it seems my drive has already converted to apfs so I'm trying the install again.

Please note I had no issues with running first aid on my drive, I just got the DISK PASSWORD prompt after trying to install High Sierra

Once I ran that command and restarted the installation continues for about 20 mins, it then restarted and I saw my actual login screen

Hopefully this will help someone in the same situation as me, as the other stuff on this forum did not work but as you will see it is quite close to the command apple gave me which is ran via RECOVERY boot and opening Terminal

This appears to work correctly, thank you for being clear and concise, especially with the space between Recovered/Items.

Just a note, there's going to be a lot of frustrated users that aren't familiar with terminal commands so maybe we should be clear about the Macintosh HD portion. It is probably that way on 100% out of the box Macbooks but if you have a used MacBook or you have upgraded the Harddrive there is a possibility that it is named something else. In my case my HD is named M4 SSD. So when you look up your disk in the Disk Utility look up the number disk2s1 and the actual name of the disk, because if you tell it to go to Macintosh HD and your disk is named SpongeBob, no go John Wayne. So in my case it was:

Problem is I can’t mount the APFS disk to copy the users/tokens into the Preboot volume. I’m able to unlock the volume disk, but said it failed to mount. I tried unmounting disk0 and unlock/mount disk2 as suggested, but same mounting failure. I can confirm that “diskutil apfs list” shows that disk2s1 is “Encypted: Yes (Unlocked)”. I had FileVault on in HS, then upgraded to .1 and this happened. Any suggestions or ideas from here?

This was one of the first things I tried but no luck. After running “resetpassword” from recovery terminal and going through the wizard, it ends up with the error: Failed to unwrap PCS wrapped key: Error Domain=com.apple.protectedcloudstorage Code=13 “unwrap failed with -2” UserInfo={NSDescription=unwrap failed with -2}. I even tried to first unlock the APFS volume before doing the password recovery.

Still can’t mount it. It successfully unlocks it using the “unlockVolume” command with my password so I know it’s the right password, but fails mounting. I partitioned the drive and installed a fresh OS on the new partition to get on with life, but left the affected old partition intact which is 80% of my drive, in hopes of solving this and getting back into it one day (since HS also corrupted my Time Machine password, maybe same bug or some other incompetent file system or encryption bug). Any ideas on what to do to when mounting a volume fails? Disk repair fails because it needs to mount to do most of the checks and repairs, so it doesn’t get very far. I was hoping I can exploit the “iamroot” bug on the affected partition since it goes to the logging screen when I boot into it where the password doesn’t work (like original post of this thread), but there’s no “Other” login so I can enter “root” and blank password.

More Like This

Incoming Links

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Developer Forums Participation Agreement.